Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
28 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings A "zero-day" vulnerability is a previously unknown tech- nological susceptibility or weakness — typically discovered after it has been exploited. So there are zero days between the time the vulnerability is discovered and the frst attack. Put simply, hackers discover the vulnerability and exploit it, before developers can fx it. For example, the Heartbleed vulnerability created the oppor- tunity for hackers to steal passwords, keys, and other sensi- tive information. 1 This vulnerability existed for more than two years before detection and affected more than 600,000 secure websites, including government agencies, banks, and critical infrastructure. Because computers are ubiquitous in ports and vulnerabilities always exist, protecting that infra- structure from cyber attacks is a pressing need. Zero-Day Vulnerabilities, Exploits, and Attacks For cyber criminals, unpatched vulnerabilities in software are free passes to attack any target using this software. Gen- erally, there is little defense against a zero-day attack. Once it is used, however, it runs the risk of being discovered by the security community, thus most zero-days have limited lifespans. Nonetheless, zero-day attacks can cause wide- spread damage to critical infrastructure in one simultane- ous attack across many targets, including seaports. Zero-Day Vulnerabilities What to do when it's too late to prevent an attack. by PROf. XiuWen liu Florida State University Information Systems PROf. Mike BuRMesTeR Florida State University and Director, Center for Security and Assurance in IT MR. W. OWen ReDWOOD Ph.D. student Department of Computer Science Florida State University MR. fReD WilDeR, CaPTain usCG (ReT.) Maritime Technology and Port Security Consultant MR. JuDD BuTleR Partner Educational Development Group cious actions. exploits — sequences crafted to perform mali- essentially bugs that can be used to build tion completely. Security vulnerabilities are A bug, however, can change the next instruc- cuted faithfully, regardless of mistakes or bugs. are written as zeroes and ones and are exe- also points to the next instruction. Instructions instruction not only performs its operation, it which consist of instruction sequences. An Computers are designed to execute programs, Kheng ho Toh / Hemera / Thinkstock 0 1 1 0 1 0 0 1